Open Source web client access multiple Zimbra servers

I've got a problem that I hope other Admins out there can help me with. I have several Zimbra open source servers that I manage. When I set up the web client to access accounts I have no problems setting up multiple email sources outside of Zimbra. And I can set up the web client to pull from different Zimbra accounts on the same server (same domain). The problem comes in when I try to setup the web client to access email on a different Zimbra server for a different domain. I go to the Preferences and Accounts and click "Add External Account". It doesn't matter whether I set it Pop3 or IMAP I still get an error. It's hard for me to capture the error because I can't copy and paste the text from the error message, but I'll try and type it in here. The error reads:

I would like to get this working because I have to check mail from both Zimbra servers and it would be much easier to check it in one web mail interface and not have to do it on two separate computers. Also, I know that I could do this with the Zimbra Desktop client, but that's really not an option because I am not always checking my mail on the same machine. So I have to use the Web Client for getting my mail.

I would like to get this working because I have to check mail from both Zimbra servers and it would be much easier to check it in one web mail interface and not have to do it on two separate computers. Also, I know that I could do this with the Zimbra Desktop client, but that's really not an option because I am not always checking my mail on the same machine. So I have to use the Web Client for getting my mail.

As I said in my original post, I am not always accessing my email on the same computer. Desktop would tie me to one system that it's installed on. I access my mail from many different places throughout the week, and the easiest way for me to do that is by using the Web Client to access my mail.

It seems to be a problem with SSL negotiation, if this is used on servers. There were issues quite some time ago with problems accessing Dreamhost and other ISP servers too. At least part of your error message defines mismatch of hash keys, where one is in md5 format, the other - in sha1 format. One of SSL certs is encrypted in wrong (not incorrect, but not widely used) format. Sorry, I can not give you more specific directions, as it was so long ago, that I do not remember, nor have my notes with me.

Oddly enough, but I just stepped over the same problem, and had to recover my notes The problem of such an error lies in fact, that server, you're trying to connect (attach remote datastore with IMAP via Zimbra Web client) is using misconfigured or self signed SSL certificate. There are many discussion threads in this forum regarding solution to the problem, as well as touching several parts of zimbra zmlocalconfig parameters, and no clearance on strict steps to solve this.

I solved this issue (at least in my case, regarding SELF SIGNED SSL CERTIFICATE), but some ellaboration on this would be appreciated. And to be honest, from terms of future management perspective, life of both parties would be much easier, if target system (that, FROM which you are trying to fetch IMAP mails from - further in this comment referenced as "Target system") deploy commercial certificate. It really does not cost too much these days, to get rid of remembering to recover issue in future, when admins of this Target system change or renew their self signed cert again.

Short answer: you have to download SSL certificate from Target system to your mailbox temporary place (say /tmp) into file. And after, using keytool, import this certificate into cacerts file. Then restart mailbox.

STEP BY STEP

All tasks are done on your mailbox server, as we have to say to it to trust this external certificate. I did as a Zimbra user, but had to temporary change permissions of particular file.

3. copy ceritficate part of CLI output
Find a part like this and copy, including START & END lines without any whitespace or not needed characters. You MUST NOT COPY "Server certificate" part, it's just for reference, what to look for in output! You are interested ONLY ingreen text part!!!

As zimbra user:
8. restart mailbox service$ zmcontrol restart (note - it probably would be ok with $ zmmailboxdctl restart, but I decided to get full clean restart of ZCS, which takes longer, thus introducing longer disruption of services).

That's it. Check adding of External account again. Apparently, some CLI gurus might optimize some parts, but that is welcome. Our life would get easier

Now, why to encourage Target system operators to deploy commercial cert? Because, besides other benefits, if they change something in their system, or renew their self signed cert, you will have to remember this, find out these notes, and redo it again and again, still experiencing additional errors and lack of online information meanwhile. Is this worth it?

Now, the tricky part, what I didn't get a proof is discussions regarding the following zmlocalconfig options:- data_source_trust_self_signed_certs (defaults to false)- ssl_allow_untrusted_certs (defaults to false)- javamail_imap_enable_starttls (defaults to true)

Some sky clearing would be appreciated, on how these configuration booleans interact with all this. There were some discussions, where it was enough to change data_source_trust_self_signed_certs to true, but that one particular settings didn't change any behaviour at all.

To be honest, I really do not think, that javamail_imap_enable_starttls has actually to do something with error, if it's connected to trusting of self signed cert. This might be connected with other type of errors regarding IMAP connection.